启动OPENCLASH之后出现大量TCP请求，导致CPU满载

[ToroLing]

无论关闭所有插件，docker，重刷固件，升降版本，都继续出现这个情况，可以告诉我是哪里设置有问题吗？

===================== 系统信息 =====================

主机型号: Phicomm N1 固件版本: OpenWrt SNAPSHOT r3193-1549187fc LuCI版本: git-21.114.56541-974fb04-1 内核版本: 5.4.118-flippy-58+o 处理器架构: aarch64_cortex-a53

此项在使用Tun模式时应为ACCEPT

防火墙转发: ACCEPT

此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP

IPV6-DHCP:

此项结果应仅有配置文件的DNS监听地址

Dnsmasq转发设置: 127.0.0.1#7874

===================== 依赖检查 =====================

dnsmasq-full: 已安装 coreutils: 已安装 coreutils-nohup: 已安装 bash: 已安装 curl: 已安装 jsonfilter: 已安装 ca-certificates: 已安装 ipset: 已安装 ip-full: 已安装 iptables-mod-tproxy: 已安装 kmod-ipt-tproxy: 已安装 iptables-mod-extra: 已安装 kmod-ipt-extra: 已安装 libcap: 已安装 libcap-bin: 已安装 ruby: 已安装 ruby-yaml: 已安装 ruby-psych: 已安装 ruby-pstore: 已安装 ruby-dbm: 已安装 kmod-tun(TUN模式): 已安装 luci-compat(Luci-19.07): 已安装

===================== 内核检查 =====================

运行状态: 运行中 进程pid: 24351 运行权限: 24351: = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource+eip 运行用户: nobody 已选择的架构: linux-armv8

下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Tun内核版本: 2021.04.08 Tun内核文件: 存在 Tun内核运行权限: 正常

Game内核版本: Game内核文件: 不存在 Game内核运行权限: 否

Dev内核版本: Dev内核文件: 不存在 Dev内核运行权限: 否

===================== 插件设置 =====================

当前配置文件: /etc/openclash/config/X-air.yaml 启动配置文件: /etc/openclash/X-air.yaml 运行模式: fake-ip 默认代理模式: rule UDP流量转发(tproxy): 启用 DNS劫持: 启用 自定义DNS: 启用 IPV6-DNS解析: 停用 禁用Dnsmasq缓存: 启用 自定义规则: 停用 仅允许内网: 停用 仅代理命中规则流量: 停用 仅允许常用端口流量: 停用 绕过中国大陆IP: 停用

启动异常时建议关闭此项后重试

混合节点: 停用 保留配置: 停用

启动异常时建议关闭此项后重试

第三方规则: 停用

• IP-CIDR,17.0.0.0/8,Apple,no-resolve
• IP-CIDR,63.92.224.0/19,Apple,no-resolve
• IP-CIDR,65.199.22.0/23,Apple,no-resolve
• IP-CIDR,139.178.128.0/18,Apple,no-resolve
• IP-CIDR,144.178.0.0/19,Apple,no-resolve
• IP-CIDR,144.178.36.0/22,Apple,no-resolve
• IP-CIDR,144.178.48.0/20,Apple,no-resolve
• IP-CIDR,192.35.50.0/24,Apple,no-resolve
• IP-CIDR,198.183.17.0/24,Apple,no-resolve
• IP-CIDR,205.180.175.0/24,Apple,no-resolve
• DOMAIN-SUFFIX,apple.news,Apple
• PROCESS-NAME,com.apple.geod,Apple
• IP-CIDR,198.18.0.1/16,REJECT,no-resolve
• GEOIP,CN,DIRECT
• MATCH,Others dns: nameserver:
  • 127.0.0.1:5300 enable: true ipv6: false enhanced-mode: fake-ip fake-ip-range: 198.18.0.1/16 listen: 127.0.0.1:7874 fake-ip-filter:
  • "*.lan"
  • time.windows.com
  • time.nist.gov
  • time.apple.com
  • time.asia.apple.com
  • "*.ntp.org.cn"
  • "*.openwrt.pool.ntp.org"
  • time1.cloud.tencent.com
  • time.ustc.edu.cn
  • pool.ntp.org
  • ntp.ubuntu.com
  • ntp.aliyun.com
  • ntp1.aliyun.com
  • ntp2.aliyun.com
  • ntp3.aliyun.com
  • ntp4.aliyun.com
  • ntp5.aliyun.com
  • ntp6.aliyun.com
  • ntp7.aliyun.com
  • time1.aliyun.com
  • time2.aliyun.com
  • time3.aliyun.com
  • time4.aliyun.com
  • time5.aliyun.com
  • time6.aliyun.com
  • time7.aliyun.com
  • "*.time.edu.cn"
  • time1.apple.com
  • time2.apple.com
  • time3.apple.com
  • time4.apple.com
  • time5.apple.com
  • time6.apple.com
  • time7.apple.com
  • time1.google.com
  • time2.google.com
  • time3.google.com
  • time4.google.com
  • music.163.com
  • "*.music.163.com"
  • "*.126.net"
  • musicapi.taihe.com
  • music.taihe.com
  • songsearch.kugou.com
  • trackercdn.kugou.com
  • "*.kuwo.cn"
  • api-jooxtt.sanook.com
  • api.joox.com
  • joox.com
  • y.qq.com
  • "*.y.qq.com"
  • streamoc.music.tc.qq.com
  • mobileoc.music.tc.qq.com
  • isure.stream.qqmusic.qq.com
  • dl.stream.qqmusic.qq.com
  • aqqmusic.tc.qq.com
  • amobile.music.tc.qq.com
  • "*.xiami.com"
  • "*.music.migu.cn"
  • music.migu.cn
  • "*.msftconnecttest.com"
  • "*.msftncsi.com"
  • localhost.ptlogin2.qq.com
  • "+.srv.nintendo.net"
  • "+.stun.playstation.net"
  • xbox.*.microsoft.com
  • "+.xboxlive.com"
  • proxy.golang.org
  • stun..
  • stun...*
  • heartbeat.belkin.com
  • "*.linksys.com"
  • "*.linksyssmartwifi.com"
  • "+.battlenet.com.cn" redir-port: 7892 mixed-port: 7893 bind-address: "*" external-ui: "/usr/share/openclash/dashboard" ipv6: false profile: store-selected: true

===================== 防火墙设置 =====================

NAT chain

Generated by iptables-save v1.8.4 on Mon Jun 7 19:23:14 2021

*nat :PREROUTING ACCEPT [4599:363838] :INPUT ACCEPT [4962:302236] :OUTPUT ACCEPT [11859:726859] :POSTROUTING ACCEPT [10977:661586] :MINIUPNPD - [0:0] :MINIUPNPD-POSTROUTING - [0:0] :openclash - [0:0] :openclash_output - [0:0] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_vpn_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_vpn_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_vpn_postrouting - [0:0] :zone_vpn_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -d 8.8.4.4/32 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 7892 -A PREROUTING -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 7892 -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting -A PREROUTING -p udp -m udp --dport 53 -m comment --comment dns_hijack -j REDIRECT --to-ports 53 -A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment dns_hijack -j REDIRECT --to-ports 53 -A PREROUTING -p tcp -j openclash -A OUTPUT -j openclash_output -A POSTROUTING -o pppoe-wan -j MASQUERADE -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -p tcp -j REDIRECT --to-ports 7892 -A openclash_output -p tcp -m tcp --sport 1688 -j RETURN -A openclash_output -p tcp -m tcp --sport 10240 -j RETURN -A openclash_output -p tcp -m tcp --sport 1194 -j RETURN -A openclash_output -m set --match-set localnetwork dst -j RETURN -A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892 -A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule -A zone_vpn_postrouting -m comment --comment "!fw3" -j FULLCONENAT -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule -A zone_vpn_prerouting -m comment --comment "!fw3" -j FULLCONENAT -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT -A zone_wan_prerouting -j MINIUPNPD -A zone_wan_prerouting -j MINIUPNPD -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule -A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT COMMIT

Completed on Mon Jun 7 19:23:14 2021

Mangle chain

Generated by iptables-save v1.8.4 on Mon Jun 7 19:23:14 2021

*mangle :PREROUTING ACCEPT [290697:25730063] :INPUT ACCEPT [290153:25581991] :FORWARD ACCEPT [163:9762] :OUTPUT ACCEPT [228264:54983131] :POSTROUTING ACCEPT [228376:54991254] :openclash - [0:0] -A PREROUTING -p udp -j openclash -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu -A openclash -p udp -m udp --dport 1194 -j RETURN -A openclash -p udp -m udp --dport 500 -j RETURN -A openclash -p udp -m udp --dport 546 -j RETURN -A openclash -p udp -m udp --dport 68 -j RETURN -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -p udp -m udp --dport 53 -j RETURN -A openclash -p udp -j TPROXY --on-port 7892 --on-ip 0.0.0.0 --tproxy-mark 0x162/0xffffffff COMMIT

Completed on Mon Jun 7 19:23:14 2021

===================== IPSET状态 =====================

Name: cn Name: ct Name: cnc Name: cmcc Name: crtc Name: cernet Name: gwbn Name: othernet Name: music Name: mwan3_connected_v4 Name: mwan3_connected_v6 Name: mwan3_source_v6 Name: mwan3_dynamic_v4 Name: mwan3_dynamic_v6 Name: mwan3_custom_v4 Name: mwan3_custom_v6 Name: localnetwork Name: shuntlist Name: gfwlist Name: chnroute Name: blacklist Name: shuntlist6 Name: gfwlist6 Name: chnroute6 Name: blacklist6 Name: mwan3_connected

===================== 路由表状态 =====================

route -n

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 113.99.219.1 0.0.0.0 UG 0 0 0 pppoe-wan 113.99.219.1 0.0.0.0 255.255.255.255 UH 0 0 0 pppoe-wan 172.31.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

ip route list

default via 113.99.219.1 dev pppoe-wan proto static 113.99.219.1 dev pppoe-wan proto kernel scope link src 113.99.219.160 172.31.0.0/24 dev docker0 proto kernel scope link src 172.31.0.1 linkdown 192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.254

ip rule show

0: from all lookup local 32765: from all fwmark 0x162 lookup 354 32766: from all lookup main 32767: from all lookup default

===================== 端口占用状态 =====================

tcp 0 0 :::7890 ::: LISTEN 24351/clash tcp 0 0 :::7891 ::: LISTEN 24351/clash tcp 0 0 :::7892 ::: LISTEN 24351/clash tcp 0 0 :::7893 ::: LISTEN 24351/clash tcp 0 0 :::9090 ::: LISTEN 24351/clash udp 0 0 127.0.0.1:7874 0.0.0.0: 24351/clash udp 0 0 :::7891 ::: 24351/clash udp 0 0 :::7892 ::: 24351/clash udp 0 0 :::7893 :::* 24351/clash

===================== 测试本机DNS查询 =====================

Server: 127.0.0.1 Address: 127.0.0.1#53

Name: www.baidu.com Address 1: 198.18.0.3 *** Can't find www.baidu.com: No answer

===================== resolv.conf.d =====================

Interface wan

nameserver 202.96.128.86 nameserver 202.96.134.133

Interface wan_6

nameserver 240e:1f:1::1

===================== 测试本机网络连接 =====================

HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: keep-alive Content-Length: 277 Content-Type: text/html Date: Mon, 07 Jun 2021 11:23:15 GMT Etag: "575e1f6d-115" Last-Modified: Mon, 13 Jun 2016 02:50:21 GMT Pragma: no-cache Server: bfe/1.0.8.18

===================== 测试本机网络下载 =====================

HTTP/1.1 200 OK Connection: keep-alive Content-Length: 80 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "ee0c1b690f6446a4f4d66a86ed3d3b260c267e49d5b96458b21e5afc59cf319d" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 75D0:1F64:7F020:93C78:60B7DEF6 Accept-Ranges: bytes Date: Mon, 07 Jun 2021 11:23:16 GMT Via: 1.1 varnish X-Served-By: cache-hkg17927-HKG X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1623064996.319576,VS0,VE0 Vary: Authorization,Accept-Encoding Access-Control-Allow-Origin: * X-Fastly-Request-ID: 8f19d8e012cef982fb4e6da758bbb5b0665a2ab9 Expires: Mon, 07 Jun 2021 11:28:16 GMT Source-Age: 51

[ToroLing]

我是光猫桥接N1主路由VLAN接AP的方式，以前都没问题，就一个月之前突然出现，我不知道出了什么问题，V大救救我

[vernesong]

绑定一下接口，wan的dns不要写本地的地址

[hodrag]

我也遇到这问题，IPQ4019负荷100%只能跑不到百兆，200M的宽带

[ToroLing]

绑定一下接口，wan的dns不要写本地的地址

绑定了，都弄过了，完全没头绪了，突然发现一个并发症，就是这个情况出现的时候，无论是否开启OPENCLASH，PuTTY都无法登录SSH，之前都是好的，现在要登录SSH只能通过TTYD，不知道是不是同一个问题引起的

[hodrag]

我的ssh正常，晚上回去设dns试试 网上有人说退回到40.7版本就好了，我还没试

[jiatianxa]

把AdGuardHome关掉会有奇效哟!

[nekomiya-hinata]

我也遇到这个问题了，同样也是n1单臂，几个星期前从40.7升级到v0.42.04-beta后感觉会出现不定时断网的问题，监控后发现断网时cpu满载，tcp连接数激增到10000左右，看到你的帖子后发觉可能确实是新版openclash的问题，今天回到40.7观察几天看看情况

[ToroLing]

我也遇到这个问题了，同样也是n1单臂，几个星期前从40.7升级到v0.42.04-beta后感觉会出现不定时断网的问题，监控后发现断网时cpu满载，tcp连接数激增到10000左右，看到你的帖子后发觉可能确实是新版openclash的问题，今天回到40.7观察几天看看情况

你换了40.7情况有好转吗？

[nekomiya-hinata]

我也遇到这个问题了，同样也是n1单臂，几个星期前从40.7升级到v0.42.04-beta后感觉会出现不定时断网的问题，监控后发现断网时cpu满载，tcp连接数激增到10000左右，看到你的帖子后发觉可能确实是新版openclash的问题，今天回到40.7观察几天看看情况

你换了40.7情况有好转吗？

这两天都很平稳，没再断过网了

[ToroLing]

真的换了40.7就没有这个问题出现了，那么可以确认是版本的问题了。

[haohaoget]

v0.46.003-beta出现类似情况（[Meta] 当前内核版本：alpha-gfeedc9e，fake ip混合模式，关闭dnsmasq，使用mosdns作为唯一上游dns） x86（固件版本iStoreOS 22.03.6 2024031514，内核版本5.10.201）以及N1（83+o版本内核N1）均出现问题，仍然保留数小时前的tcp连接即使设备已经断开网络

[kid101x]

v0.46.003-beta出现类似情况（[Meta] 当前内核版本：alpha-gfeedc9e，fake ip混合模式，关闭dnsmasq，使用mosdns作为唯一上游dns） x86（固件版本iStoreOS 22.03.6 2024031514，内核版本5.10.201）以及N1（83+o版本内核N1）均出现问题，仍然保留数小时前的tcp连接即使设备已经断开网络

v0.45.157也遇到了这个问题